A report from Trend Micro’s TrendLabs has found that spammers are actually utilizing groups of workers in India to solve CAPTCHA tests for them when signing up for free e-mail accounts.

CAPTCHA challenge-respond tests are problematic for spammers as they serve up a range of letters and digits that are difficult for anything other than a human being to decipher. Some tools to beat them do exist, but their success rate is around the 30% mark.

Now spammers are getting more organized and employing very cheap labor in India to solve the CAPTCHAS. An individual in India earning just a few dollars a day takes the CAPTCHAS success rate up into the high 90s.

Rik Ferguson or Trend Micro commented:

The cybercrime industry is no longer the reserve of individuals, but that of organised gangs with large amounts of cash available to them. By employing people to solve the CAPTCHA problem, for as little as £2 or £3 a day, cybercriminals have access to millions of registered accounts … These accounts are then used to send millions of spam messages with the aim of infecting users with a variety of malware, such as a keylogger that intends to solicit personal information such as banking information or passwords.

You can certainly see why the spammers would consider paying for a service such as this. For minimal investment you get an almost perfect rate of CAPTCHA solves and the resulting e-mail accounts must be worth much more than the wage of the worker who solved the CAPTCHA.

There is no easy way to solve this problem as additional checks done when signing up for an e-mail account will be based on proving an individual is carrying out the registration. Spammers have solved that problem by using real people. Regulation is the only other route where companies providing individuals to solve CAPTCHAS are targeted and shut down… easier said than done.

Reader Comments

warthan58

Regulation won't work. We have regulation now that doesn't work.

The only thing that's ever going to work is to charge money for sending e-mails. On a daily basis, make the first 100 free, and charge 1-cent for every e-mail after that. This way, personal and legitimate business e-mails get out, and only mass e-mailers are affected.

There are legit mass-mailings, but we can live without them. I really don't need to know the instant Microsoft puts out a new TechNet blog, or when someone replies to my post on a forum.

1-cent e-mails are still a very good deal for doing legit business, and a very bad deal for spammers. But maybe corporate America wants spammers. After all, spamming has creating a multi-billion dollar anti-spam industry.

iturk

Guess who's using their new OLPC to make money? In one sense I have to admire the spammers ingenuity. Each human brain is a very powerful computer if utilized properly. To bad someone isn't harnessing that super computer for better use…

Bill Tkach

The email hosting company should be held responsible. If they can say that bit-torrent sites, that hold hash codes to that point to other sites are aiding & abetting crime, then email hosting companies are providing the same thing to spammers. They are providing a free service that allows illegal activity to take place.
They need to add more control to their systems. A normal ordinary person signing up for gmail (or hotmail, or whatever it may be) is not going to sign up, then send 10,000 legitimate emails that day. They should limit those users who first sign up to say, 25 emails a day. Very reasonable, I think. They can receive as many as they wish. Google can introduce systems that monitor accounts and rate them on what is sent out, granting more email sending rights as they are more trustworthy. This would at least slow the crooks down for a while.
Maybe make it so the person registering has to call in to the USA to register the captcha by phone. A one time call for most users, which is not a big deal, but for a criminal registering thousands of accounts, that’s lots of phone calls, and will also bring their phone company into the fold, so they could have more troubles.